The next big cyber security threat? You’re driving it, writes DJ Singh, Digital Architect at Wipro Digital.
The recent Jeep Hacking experiment is drawing public attention to potential safety issues with connected cars, while urging car manufacturers to speed up investments in cyber security and safety features. While cyber security threats are becoming more serious and an increasingly popular topic, the issue of cars’ security flaws has been a serious concern for far longer than most of us have realized.
Cars and code go back a long way, but security hasn’t caught up. With hundreds of networked computing devices, today’s average car’s software accounts for over half of its production costs, with the code running these cars managing everything from critical functions to emissions reduction, improving efficiency to running diagnostics.
While automobile designers have been quick to focus on the car’s instrument cluster, they were slower in their efforts to make their cars’ computing systems secure and with the recent trend of users expecting to sync devices of their choice, vehicle manufacturers have to deal with new threats posed by this connected ecosystem. Automotive safety researchers have demonstrated the vulnerabilities of connected cars by accomplishing a number of frightening feats:
1. One team wirelessly hacked into a common internet-connected infotainment system and by using its own software update feature, the researchers installed malicious software to commandeer the car’s control systems.
2. Another team of researchers wrote a malware that worked its way to the car’s control software whenever diagnostic equipment was connected to the on-board diagnostic port cars have.
3. In another incident, security researchers were able to brute-force their way to a Nissan Leaf’s APIs from the Internet. The car’s Mobile App (since withdrawn) had a vulnerability that allowed the researchers access to the cars telematics data such as driving range via APIs that had no security mechanism in place.
4. In another example, a team of researchers practically exploited all threat vectors of cars, including vulnerable diagnostic instruments, through the media player by playing a specially crafted media file via vulnerabilities in a car’s Bluetooth, on top of calling the car’s cellular modem and playing a specially crafted audio encoding.
5. Other vulnerable exploit vectors researched include in-vehicle Wi-Fi, telematics, remote keyless entry and RFID immobilizers, navigation systems, satellite radio and tire pressure monitor sensors. These vulnerabilities could allow malicious actors to, for example; eavesdrop on occupants of a car by turning on the car’s Bluetooth microphone, tamper with the car’s odometer or gain access to a car’s location information.
Why are these vulnerabilities not a bigger concern to auto companies? The auto industry’s primary safety concerns are centered on accidents or faults rather than the purposeful and malicious type of threats typical of cyber-attacks. The industry’s recommendations for designing cyber security into the system – SAE J3061 – have only just been published, demonstrating the time it can take to implement automobile safety standards. Once adopted, this framework will provide a structured process to help ensure that cyber security is built into designs throughout the product development pipeline.
Why does the auto industry have these long-known software vulnerabilities in the first place?
The way the industry is currently structured: automobile manufacturing is typically efficient assembly operation, relying heavily on OEM suppliers for all components. This setup works well for mechanical assembly, where individual parts made to demanding specifications can be tested and quality controlled. When it comes to electronic systems, auto manufacturers act as system integrators and develop ‘glue logic’ to integrate the software associated with individual electronic modules.
Key suppliers to the automobile industry have been working to continuously enhance Automotive Security Hardware, covering a wide range of solutions from security add-ons for low-end hardware to more sophisticated high-performance systems. Along with developing technologies such as Secure Hardware Extension and projects like EVITA (E-Safety Vehicle Intrusion Protected Applications), industry bodies are also actively working on security issues for example, Side Channel Attack Analysis, to help identify potential side channel attacks and to aid design countermeasures.
Why your biggest privacy threat might be your car
Highly-publicized hacking experiments like the Jeep Hacking video are leading lawmakers to consider establishing standards to ensure automakers implement the right safety, security and privacy mechanism in their connected cars. Until that time, there is an urgent need for car manufacturers and their suppliers to leverage expertise from the IT security community to develop security reference architecture, guidelines and processes. The IT community can help make the public aware of privacy issues, whilst in the meantime car manufacturers should implement security best practices used by their peers. Thankfully, although car security hacks are becoming increasingly more sophisticated, there are developments being made that will eventually outpace them.
For more about Wipro Digital, visit http://wiprodigital.com/what-we-do/.
